A team of researchers from the Georgia Institute of Technology and Purdue University has demonstrated the WireTap attack. The researchers showed that a passive DIMM-interposer can be used to compromise the DCAP attestation mechanism in Intel Software Guard Extensions (Intel SGX).
Like the recently disclosed Battering RAM attack, WireTap requires physical access to an SGX-enabled target server and relies on an interposer that, according to the researchers, can be assembled from used electronic components for less than US$1,000.
Theoretically, such attacks could be carried out by rogue employees of cloud providers, data center technicians, representatives of law enforcement, or actors in the hardware supply chain (at the manufacturing or delivery stage).
“Like two sides of the same coin, WireTap and Battering RAM examine the complementary properties of deterministic encryption. And while WireTap is primarily aimed at compromising confidentiality, Battering RAM focuses first and foremost on integrity. But the bottom line is the same — SGX and SEV can be easily compromised through memory tampering,” the experts write.
Intel SGX (Software Guard Extensions) is a security mechanism built into some Intel processors that creates enclaves—protected, isolated regions of memory inside the processor—which encrypt and protect application data and code even from the OS or other privileged software. This ensures the confidentiality and integrity of critical computations, for example, to protect secret algorithms, encryption keys, or personal data in cloud services. In addition, enclaves are designed to protect data and code even if the rest of the system is compromised.
In the report, the researchers write that after installing an interposer, they were able to slow down and intercept DDR4 bus traffic, and then gain control over the SGX enclave by flushing the cache. After that, they turned to the SGX cryptographic mechanism and extracted the machine’s attestation key, spending about 45 minutes on the process.
It is noted that such a compromised key can be used to undermine the confidentiality of numerous systems, including the privacy-preserving smart contract networks Phala and Secret, as well as the centralized blockchain system Crust.
In the attacks on Phala and Secret, researchers were able to extract the contracts’ data-encryption keys by forging quotes in a specially crafted enclave, which allowed them to decrypt the state of smart contracts across the entire network.
In the case of Crust, the researchers demonstrated that an attacker can use a compromised key and a modified enclave to forge proofs of storage, thereby compromising the integrity and correctness of the network node’s operation.
“It is possible to build a device that can physically tap all memory traffic cheaply and easily — using basic electronic tools and equipment that can be readily purchased online. Using an interposer against the SGX attestation mechanism, we were able to extract the attestation secret key from a machine in a fully trusted state, thereby compromising SGX security,” the experts’ report states.
Researchers note that to protect against the WireTap attack, one can abandon deterministic memory encryption, ensure sufficient entropy in each encryption block, encrypt the signature within the attestation report, increase the memory bus frequency, and centralize the issuance of the master key to all SGX enclaves using a secure key management system.
A group of researchers notified Intel about the issue back in early 2025. After the study was published, Intel representatives confirmed the existence of the problem; however, the company emphasizes that carrying out the attack requires physical access to the hardware and the installation of an interposer, which falls outside the usual SGX threat model.